diff options
Diffstat (limited to 'server/static/dnt-policy/dnt-policy-1.0.txt')
-rw-r--r-- | server/static/dnt-policy/dnt-policy-1.0.txt | 218 |
1 files changed, 218 insertions, 0 deletions
diff --git a/server/static/dnt-policy/dnt-policy-1.0.txt b/server/static/dnt-policy/dnt-policy-1.0.txt new file mode 100644 index 000000000..ad946d1f8 --- /dev/null +++ b/server/static/dnt-policy/dnt-policy-1.0.txt | |||
@@ -0,0 +1,218 @@ | |||
1 | Do Not Track Compliance Policy | ||
2 | |||
3 | Version 1.0 | ||
4 | |||
5 | This domain complies with user opt-outs from tracking via the "Do Not Track" | ||
6 | or "DNT" header [http://www.w3.org/TR/tracking-dnt/]. This file will always | ||
7 | be posted via HTTPS at https://example-domain.com/.well-known/dnt-policy.txt | ||
8 | to indicate this fact. | ||
9 | |||
10 | SCOPE | ||
11 | |||
12 | This policy document allows an operator of a Fully Qualified Domain Name | ||
13 | ("domain") to declare that it respects Do Not Track as a meaningful privacy | ||
14 | opt-out of tracking, so that privacy-protecting software can better determine | ||
15 | whether to block or anonymize communications with this domain. This policy is | ||
16 | intended first and foremost to be posted on domains that publish ads, widgets, | ||
17 | images, scripts and other third-party embedded hypertext (for instance on | ||
18 | widgets.example.com), but it can be posted on any domain, including those users | ||
19 | visit directly (such as www.example.com). The policy may be applied to some | ||
20 | domains used by a company, site, or service, and not to others. Do Not Track | ||
21 | may be sent by any client that uses the HTTP protocol, including websites, | ||
22 | mobile apps, and smart devices like TVs. Do Not Track also works with all | ||
23 | protocols able to read HTTP headers, including SPDY. | ||
24 | |||
25 | NOTE: This policy contains both Requirements and Exceptions. Where possible | ||
26 | terms are defined in the text, but a few additional definitions are included | ||
27 | at the end. | ||
28 | |||
29 | REQUIREMENTS | ||
30 | |||
31 | When this domain receives Web requests from a user who enables DNT by actively | ||
32 | choosing an opt-out setting in their browser or by installing software that is | ||
33 | primarily designed to protect privacy ("DNT User"), we will take the following | ||
34 | measures with respect to those users' data, subject to the Exceptions, also | ||
35 | listed below: | ||
36 | |||
37 | 1. END USER IDENTIFIERS: | ||
38 | |||
39 | a. If a DNT User has logged in to our service, all user identifiers, such as | ||
40 | unique or nearly unique cookies, "supercookies" and fingerprints are | ||
41 | discarded as soon as the HTTP(S) response is issued. | ||
42 | |||
43 | Data structures which associate user identifiers with accounts may be | ||
44 | employed to recognize logged in users per Exception 4 below, but may not | ||
45 | be associated with records of the user's activities unless otherwise | ||
46 | excepted. | ||
47 | |||
48 | b. If a DNT User is not logged in to our service, we will take steps to ensure | ||
49 | that no user identifiers are transmitted to us at all. | ||
50 | |||
51 | 2. LOG RETENTION: | ||
52 | |||
53 | a. Logs with DNT Users' identifiers removed (but including IP addresses and | ||
54 | User Agent strings) may be retained for a period of 10 days or less, | ||
55 | unless an Exception (below) applies. This period of time balances privacy | ||
56 | concerns with the need to ensure that log processing systems have time to | ||
57 | operate; that operations engineers have time to monitor and fix technical | ||
58 | and performance problems; and that security and data aggregation systems | ||
59 | have time to operate. | ||
60 | |||
61 | b. These logs will not be used for any other purposes. | ||
62 | |||
63 | 3. OTHER DOMAINS: | ||
64 | |||
65 | a. If this domain transfers identifiable user data about DNT Users to | ||
66 | contractors, affiliates or other parties, or embeds from or posts data to | ||
67 | other domains, we will either: | ||
68 | |||
69 | b. ensure that the operators of those domains abide by this policy overall | ||
70 | by posting it at /.well-known/dnt-policy.txt via HTTPS on the domains in | ||
71 | question, | ||
72 | |||
73 | OR | ||
74 | |||
75 | ensure that the recipient's policies and practices require the recipient | ||
76 | to respect the policy for our DNT Users' data. | ||
77 | |||
78 | OR | ||
79 | |||
80 | obtain a contractual commitment from the recipient to respect this policy | ||
81 | for our DNT Users' data. | ||
82 | |||
83 | NOTE: if an “Other Domain” does not receive identifiable user information | ||
84 | from the domain because such information has been removed, because the | ||
85 | Other Domain does not log that information, or for some other reason, these | ||
86 | requirements do not apply. | ||
87 | |||
88 | c. "Identifiable" means any records which are not Anonymized or otherwise | ||
89 | covered by the Exceptions below. | ||
90 | |||
91 | 4. PERIODIC REASSERTION OF COMPLIANCE: | ||
92 | |||
93 | At least once every 12 months, we will take reasonable steps commensurate | ||
94 | with the size of our organization and the nature of our service to confirm | ||
95 | our ongoing compliance with this document, and we will publicly reassert our | ||
96 | compliance. | ||
97 | |||
98 | 5. USER NOTIFICATION: | ||
99 | |||
100 | a. If we are required by law to retain or disclose user identifiers, we will | ||
101 | attempt to provide the users with notice (unless we are prohibited or it | ||
102 | would be futile) that a request for their information has been made in | ||
103 | order to give the users an opportunity to object to the retention or | ||
104 | disclosure. | ||
105 | |||
106 | b. We will attempt to provide this notice by email, if the users have given | ||
107 | us an email address, and by postal mail if the users have provided a | ||
108 | postal address. | ||
109 | |||
110 | c. If the users do not challenge the disclosure request, we may be legally | ||
111 | required to turn over their information. | ||
112 | |||
113 | d. We may delay notice if we, in good faith, believe that an emergency | ||
114 | involving danger of death or serious physical injury to any person | ||
115 | requires disclosure without delay of information relating to the | ||
116 | emergency. | ||
117 | |||
118 | EXCEPTIONS | ||
119 | |||
120 | Data from DNT Users collected by this domain may be logged or retained only in | ||
121 | the following specific situations: | ||
122 | |||
123 | 1. CONSENT / "OPT BACK IN" | ||
124 | |||
125 | a. DNT Users are opting out from tracking across the Web. It is possible | ||
126 | that for some feature or functionality, we will need to ask a DNT User to | ||
127 | "opt back in" to be tracked by us across the entire Web. | ||
128 | |||
129 | b. If we do that, we will take reasonable steps to verify that the users who | ||
130 | select this option have genuinely intended to opt back in to tracking. | ||
131 | One way to do this is by performing scientifically reasonable user | ||
132 | studies with a representative sample of our users, but smaller | ||
133 | organizations can satisfy this requirement by other means. | ||
134 | |||
135 | c. Where we believe that we have opt back in consent, our server will | ||
136 | send a tracking value status header "Tk: C" as described in section 6.2 | ||
137 | of the W3C Tracking Preference Expression draft: | ||
138 | |||
139 | http://www.w3.org/TR/tracking-dnt/#tracking-status-value | ||
140 | |||
141 | 2. TRANSACTIONS | ||
142 | |||
143 | If a DNT User actively and knowingly enters a transaction with our | ||
144 | services (for instance, clicking on a clearly-labeled advertisement, | ||
145 | posting content to a widget, or purchasing an item), we will retain | ||
146 | necessary data for as long as required to perform the transaction. This | ||
147 | may for example include keeping auditing information for clicks on | ||
148 | advertising links; keeping a copy of posted content and the name of the | ||
149 | posting user; keeping server-side session IDs to recognize logged in | ||
150 | users; or keeping a copy of the physical address to which a purchased | ||
151 | item will be shipped. By their nature, some transactions will require data | ||
152 | to be retained indefinitely. | ||
153 | |||
154 | 3. TECHNICAL AND SECURITY LOGGING: | ||
155 | |||
156 | a. If, during the processing of the initial request (for unique identifiers) | ||
157 | or during the subsequent 10 days (for IP addresses and User Agent strings), | ||
158 | we obtain specific information that causes our employees or systems to | ||
159 | believe that a request is, or is likely to be, part of a security attack, | ||
160 | spam submission, or fraudulent transaction, then logs of those requests | ||
161 | are not subject to this policy. | ||
162 | |||
163 | b. If we encounter technical problems with our site, then, in rare | ||
164 | circumstances, we may retain logs for longer than 10 days, if that is | ||
165 | necessary to diagnose and fix those problems, but this practice will not be | ||
166 | routinized and we will strive to delete such logs as soon as possible. | ||
167 | |||
168 | 4. AGGREGATION: | ||
169 | |||
170 | a. We may retain and share anonymized datasets, such as aggregate records of | ||
171 | readership patterns; statistical models of user behavior; graphs of system | ||
172 | variables; data structures to count active users on monthly or yearly | ||
173 | bases; database tables mapping authentication cookies to logged in | ||
174 | accounts; non-unique data structures constructed within browsers for tasks | ||
175 | such as ad frequency capping or conversion tracking; or logs with truncated | ||
176 | and/or encrypted IP addresses and simplified User Agent strings. | ||
177 | |||
178 | b. "Anonymized" means we have conducted risk mitigation to ensure | ||
179 | that the dataset, plus any additional information that is in our | ||
180 | possession or likely to be available to us, does not allow the | ||
181 | reconstruction of reading habits, online or offline activity of groups of | ||
182 | fewer than 5000 individuals or devices. | ||
183 | |||
184 | c. If we generate anonymized datasets under this exception we will publicly | ||
185 | document our anonymization methods in sufficient detail to allow outside | ||
186 | experts to evaluate the effectiveness of those methods. | ||
187 | |||
188 | 5. ERRORS: | ||
189 | |||
190 | From time to time, there may be errors by which user data is temporarily | ||
191 | logged or retained in violation of this policy. If such errors are | ||
192 | inadvertent, rare, and made in good faith, they do not constitute a breach | ||
193 | of this policy. We will delete such data as soon as practicable after we | ||
194 | become aware of any error and take steps to ensure that it is deleted by any | ||
195 | third-party who may have had access to the data. | ||
196 | |||
197 | ADDITIONAL DEFINITIONS | ||
198 | |||
199 | "Fully Qualified Domain Name" means a domain name that addresses a computer | ||
200 | connected to the Internet. For instance, example1.com; www.example1.com; | ||
201 | ads.example1.com; and widgets.example2.com are all distinct FQDNs. | ||
202 | |||
203 | "Supercookie" means any technology other than an HTTP Cookie which can be used | ||
204 | by a server to associate identifiers with the clients that visit it. Examples | ||
205 | of supercookies include Flash LSO cookies, DOM storage, HTML5 storage, or | ||
206 | tricks to store information in caches or etags. | ||
207 | |||
208 | "Risk mitigation" means an engineering process that evaluates the possibility | ||
209 | and likelihood of various adverse outcomes, considers the available methods of | ||
210 | making those adverse outcomes less likely, and deploys sufficient mitigations | ||
211 | to bring the probability and harm from adverse outcomes below an acceptable | ||
212 | threshold. | ||
213 | |||
214 | "Reading habits" includes amongst other things lists of visited DNS names, if | ||
215 | those domains pertain to specific topics or activities, but records of visited | ||
216 | DNS names are not reading habits if those domain names serve content of a very | ||
217 | diverse and general nature, thereby revealing minimal information about the | ||
218 | opinions, interests or activities of the user. | ||